b'   Review of Incident Handling and Reporting at the Railroad Retirement Board \n\n                        Report No. 06-09, August 24, 2006 \n\n\n                                    INTRODUCTION \n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) review of\ncomputer incident handling and reporting at the Railroad Retirement Board (RRB). A\ncomputer incident is a violation, or imminent threat of violation, of computer security\npolicies, acceptable use policies, or standard computer security practices.\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nand Railroad Unemployment Insurance Acts. These programs provide income\nprotection during old age and in the event of disability, death, temporary unemployment\nor sickness. The RRB paid over $9.2 billion in benefits during fiscal year (FY) 2005.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems:\nthe mainframe computer, and the end-user computing system which supports the\nRRB\xe2\x80\x99s local and wide-area networks including the computer security incident capability\nprogram. The RRB has experienced relatively few computer incidents that successfully\npenetrated agency defenses during FYs 2005 and 2006 with usually no more than 30\nisolated incidents in any one month. During that period, only one major incident had\nwidespread impact within the agency.\n\nThis review was conducted pursuant to the E-Government Act of 2002 (P.L. 107-347),\nTitle III, the Federal Information Security Management Act of 2002 (FISMA). FISMA\nmandates that the National Institute of Standards and Technology (NIST) develop\nstandards and guidance, including minimum requirements, for the security of agency\ninformation and information systems. FISMA also established a Federal information\nsecurity incident center, headed by the Department of Homeland Security\xe2\x80\x99s Computer\nEmergency Readiness Team (US-CERT), to compile and analyze security incidents and\nprovide assistance to Federal agencies on current or potential information security\nthreats and vulnerabilities. US-CERT has issued an official taxonomy which defines the\nincident and event categories and reporting timeframes for Federal agency reporting.\nThe US-CERT Taxonomy is included as Appendix I to this report.\n\nFISMA mandates that agencies develop, document, and implement an agency-wide\ninformation security program that includes procedures for detecting, reporting, and\nresponding to security incidents. Additionally, FISMA requires the OIG to conduct an\nannual evaluation of the information security, including incident handling and reporting.\n\nThe RRB has developed policies and procedures to protect the information system\nenvironment, including communication networks and data, from unauthorized use,\nmisuse, or abuse by both internal and external threats. The RRB Computer Security\nIncident Response Plan (CSIRP) procedures include incident handling and reporting\n\x0cand the establishment of a Computer Emergency Response Team (CERT) comprised\nof Bureau of Information Services (BIS) employees. Each RRB CERT member has\nbeen assigned various roles and responsibilities for incident handling and reporting. A\nsynopsis of each member\xe2\x80\x99s roles and responsibilities is presented in Appendix II.\n\nThe RRB CERT manages computer security incidents as they occur. Computer\nsecurity incidents can be identified in a number of ways. If a user detects unusual\nactivity, he will report it to the Help Desk. Additionally, RRB CERT members are\nresponsible for reviewing agency logs for suspicious activity. The logs may be\nproduced by the operating system, access control software, antivirus software, data\ncommunication devices, or the intrusion detection system. After the RRB CERT\nmember confirms the existence of a computer security incident, they respond by\ncontaining and eradicating the threat, and restoring the system if necessary.\n\nThe RRB CERT member responding to the incident is required to maintain\ndocumentation that may consist of the logs identified above, or forensically sound and\nlegally admissible evidence for more serious incidents. Additionally, the lead\ninvestigator maintains a separate RRB CERT log of incidents by assigning a unique\ncase number and details about the incident. This log is used to compile incident reports\ninternally for RRB management, and externally for the US-CERT.\n\nThe RRB CERT continually works to improve the RRB\xe2\x80\x99s computer security\ninfrastructure. They have reported several initiatives which they believe will enhance\nthe RRB\xe2\x80\x99s computer security incident capability. These initiatives include an intrusion\nprevention system, policy enforcement software, and new help desk and spam\nprevention software. Additionally, they reported the completion of a special project to\nensure all desktops have been fully patched to allow for more efficient distribution of\nfuture desktop upgrades and virus definition files.\n\nA glossary of technical terms is included at Appendix III.\n\nObjective, Scope and Methodology\n\nThe objectives of this review were to:\n\n   1. Determine whether the RRB\xe2\x80\x99s incident handling and reporting program is\n      operating effectively to ensure the confidentiality, integrity and availability of the\n      RRB\xe2\x80\x99s information and information technology.\n\n   2. Determine whether the RRB\xe2\x80\x99s program meets the standards and guidelines\n      established by the US-CERT for external reporting.\n\nTo accomplish these objectives, we:\n\n    \xe2\x80\xa2   interviewed responsible management and staff;\n\x0c    \xe2\x80\xa2\t obtained and reviewed the RRB\xe2\x80\x99s policies and procedures for incident response\n       and reporting;\n    \xe2\x80\xa2\t obtained evidence of the RRB\xe2\x80\x99s computer security incidents and actions taken\n       during FYs 2005 and 2006, including, but not limited to, logs, correspondence,\n       and internal and external reports;\n    \xe2\x80\xa2\t obtained and reviewed NIST criteria for incident handling and minimum control\n       requirements;\n    \xe2\x80\xa2\t obtained and reviewed US-CERT criteria for incident reporting;\n    \xe2\x80\xa2\t obtained and reviewed US-CERT compilations of reports made by the RRB;\n    \xe2\x80\xa2\t performed comparative analysis of the RRB\xe2\x80\x99s policies and procedures to the\n       criteria established by NIST and US-CERT;\n    \xe2\x80\xa2\t assessed the agency\xe2\x80\x99s overall compliance with the applicable standards and\n       guidance for incident response handling and reporting by comparing the RRB\xe2\x80\x99s\n       actual incidents and reports to the RRB, NIST and US-CERT criteria; and\n    \xe2\x80\xa2\t obtained and reviewed the RRB\xe2\x80\x99s Plan of Actions and Milestones for previously\n       identified information security weaknesses.\n\nThe scope of our audit did not include program improvement initiatives reported by\nmanagement which were not completed prior to the start of fieldwork.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objectives. Audit fieldwork was conducted at RRB\nheadquarters in Chicago, Illinois from January through May 2006.\n\n                                       RESULTS OF REVIEW \n\n\nThe RRB\xe2\x80\x99s incident handling and reporting program is generally operating effectively in\nensuring the confidentiality, integrity and availability of the agency\xe2\x80\x99s information and\ninformation technology. However, the agency\xe2\x80\x99s program does not fully comply with\nstandards and guidelines established by the US-CERT for external reporting, and we\nobserved areas in which the RRB\xe2\x80\x99s program should be improved to ensure that the\nagency\xe2\x80\x99s risk has been minimized. The following deficiencies will be classified as\nreportable conditions in our FY 2006 evaluation of information security.1\n\n       \xe2\x80\xa2 The RRB\xe2\x80\x99s response plan is not always followed.\n       \xe2\x80\xa2 Malware incident prevention and handling needs improvement.\n\n1\n  A reportable condition exists when a security or management control weakness does not rise to the\nlevel of a significant deficiency, yet is still important enough to be reported to internal management. A\nsignificant deficiency is a weakness in an agency\xe2\x80\x99s overall information system security program or\nmanagement control structure, or within one or more information systems, that significantly restricts the\ncapability of the agency to carry out its mission or compromises the security of its information, information\nsystems, personnel, or other resources, operations, or assets.\n\x0c         \xe2\x80\xa2\t External reporting does not fully comply with US-CERT Requirements.\n         \xe2\x80\xa2\t Internal reporting is incomplete.\n         \xe2\x80\xa2\t The current patch management process is not fully effective in minimizing risk\n            from known vulnerabilities.\n\nIn addition, we observed that the RRB\xe2\x80\x99s formal plan of action and milestones for\nprogram remediation does not include previously identified weaknesses in the incident\nhandling and reporting process.\n\nManagement has agreed to take the recommended corrective action. The full text of\nthe Bureau of Information Services response is included in this report as Appendix IV.\n\nComputer Security Incident Response Plan (CSIRP) Is Not Always Followed\n\nThe RRB CSIRP provides the methodology to be used by the RRB CERT; yet, RRB\nCERT members do not always follow CSIRP procedures. In some cases, RRB CERT\nmembers were unaware of, or did not understand, all of their roles and responsibilities\nlisted in the CSIRP. Our review of the CSIRP and current practice showed\ndiscrepancies in the following areas.\n\n          \xe2\x80\xa2\t Some of the roles and responsibilities of the RRB CERT are not followed,\n             including oversight of RRB CERT activities.\n          \xe2\x80\xa2\t Documentation supporting all RRB CERT members\xe2\x80\x99 actions is not completed\n             by members outside of the BIS Risk Management Group, or consistently\n             within the Risk Management Group.\n\nFISMA requires agencies to develop \xe2\x80\x9cprocedures for detecting, reporting, and\nresponding to security incidents.\xe2\x80\x9d NIST Special Publication (SP) 800-61 provides\nguidance on the development of policies and procedures for incident response\ncapability.2 That guidance states that the operating procedures are the technical\nprocesses, techniques, checklists, and forms used by the incident response team.\nNIST requires the procedures to be comprehensive and detailed enough to ensure the\nagency\xe2\x80\x99s priorities are reflected in the response operations. Additionally, the\nprocedures should be tested and validated for accuracy and usefulness, and distributed\nto all team members. Training is also to be provided to the team members, and incident\nresponse documents can be used as an instructional tool for reinforcement.\n\nThe CSIRP was designed to represent best practices and the expected procedures of\nthe RRB CERT. However, the RRB CERT members have been given wide latitude in\nthe methodologies used to respond to and record incidents. The Chief Security Officer\nhas operational authority over the RRB CERT, but provides little or no oversight of RRB\nCERT activities. We found that current practices of the RRB CERT members do not\nalways conform to the procedures within the CSIRP. Additionally, previous\nmanagement control reviews were insufficient to determine the effectiveness of the\n2\n    NIST SP 800-61, \xe2\x80\x9cComputer Security Incident Handling Guide,\xe2\x80\x9d January 2004.\n\x0cincident response program. While revisions to the management control process are\ncurrently underway, ongoing supervision and training is needed to ensure adherence to\nthe operating procedures.\n\nThe RRB incident response capability is impaired when employees do not perform their\nexpected roles and responsibilities. As a result, computer security incidents may not be\nhandled as effectively as they could be.\n\nRecommendations:\n\nWe recommend that the Bureau of Information Services:\n\n      1. \t conduct training of the RRB CERT members\xe2\x80\x99 roles and responsibilities; and\n\n      2. \t implement controls to ensure the continued adherence to, and usefulness of,\n           the CSIRP procedures.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendations and will conduct\ntraining of the RRB CERT members and implement controls to ensure continued\nadherence to the CSIRP procedures.\n\nMalware Incident Prevention and Handling Needs Improvement\n\nOur review disclosed several inefficiencies in the RRB\xe2\x80\x99s malware protection program,\nincluding inconsistent antivirus software configuration settings and missing or\nincomplete logs.\n\nFISMA requires agencies to develop \xe2\x80\x9cprocedures for detecting, reporting, and\nresponding to security incidents \xe2\x80\xa6 including mitigating risks associated with such\nincidents before substantial damage is done.\xe2\x80\x9d NIST SP 800-83 provides guidance on\nmalware incident prevention and handling.3 That guidance states that malware\nprevention-related policy considerations should include \xe2\x80\x9cspecifying which types of\npreventive software (e.g., antivirus software, spyware detection, and removal utilities)\nare required \xe2\x80\xa6 and listing the high-level requirements for configuring and maintaining\nthe software (e.g., software update frequency, system scan scope and frequency).\xe2\x80\x9d\n\nRRB management has not established a formal antivirus software configuration policy\nwhich specifies the requirements for configuring and maintaining that software.\nDiscussions with RRB CERT members revealed that their assumption of how the\nantivirus software is configured is inconsistent with the configurations displayed on the\nantivirus logs. The lack of a formal configuration policy, and procedures for\ndocumenting and approving deviations from that policy, can lead to ineffective practices.\n\n\n3\n    NIST SP 800-83, \xe2\x80\x9cGuide to Malware Incident Prevention and Handling,\xe2\x80\x9d November 2005.\n\x0cWe also noted that the antivirus software\xe2\x80\x99s threat history logs were incomplete for two\nmonths, and the RRB has been unable to produce the logs since January 2006. An\nactual cause of the missing log entries is unverifiable; however, RRB management\nbelieves problems with the software resulted in the missing data. The RRB has been\nunable to produce the threat history logs for several months because they appointed a\nnew antivirus administrator who requires specialized training in the use and\nmanagement of the software. The RRB did not have a valid backup administrator with\nthis knowledge.\n\nThreat history logs represent a primary source of information on RRB computer security\nincidents. The inability to produce the threat history logs impacts the identification,\nhandling, and reporting of computer security incidents.\n\nRecommendations:\n\nWe recommend that the Bureau of Information Services:\n\n      3. \t develop a formal antivirus configuration policy;\n      4. \t implement procedures for adequately documenting and approving deviations\n           from that policy;\n      5. \t appoint a backup administrator for managing the antivirus software; and\n      6. \t provide adequate training to the new antivirus administrator and backup \n\n           administrator. \n\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services agrees with the recommendations. They will\ndevelop a formal configuration policy and implement procedures for documenting\ndeviations from that policy. Additionally, the Bureau of Information Services will appoint\na backup administrator and provide training to the two network administrators\ndesignated as Norton Anti Virus administrators.\n\nExternal Reporting Does Not Fully Comply with US-CERT Requirements\n\nThe RRB\xe2\x80\x99s reporting of computer security incidents to US-CERT needs improvement.\nOur review disclosed that the RRB\xe2\x80\x99s incident reports did not conform to US-CERT\nreporting requirements, and were often incomplete. The most significant category of\ninadequate reporting was for successful malicious code identified by antivirus software.\n\nFISMA requires agencies to notify and consult with the Federal information security\nincident center, US-CERT, regarding computer security incidents. The US-CERT has\nissued guidance which defines the reporting categories and timeframes to be used by\nFederal agencies.4 This guidance is designed to ensure a consistent means of\nreporting and to provide a common platform to execute the US-CERT mission. US\n\n4\n    The US-CERT Taxonomy is included as Appendix I.\n\x0cCERT requires that successful malicious code that could not be quarantined by antivirus\nsoftware be reported daily.\n\nThe RRB did not comply with the US-CERT reporting requirements because the lead\ninvestigator responsible for preparing the reports made a conscious decision to deviate\nfrom the guidance. He stated the criteria for daily reporting of isolated successful\nmalicious code is unreasonable, and has decided not to follow it. Instead, he has\nchosen to report a compilation of these incidents on a monthly basis.\n\nWe also noted that the RRB\xe2\x80\x99s monthly compilation reports made to US-CERT did not\ninclude all instances of reportable security incidents. The lead investigator did not make\nRRB CERT log entries for all reportable incidents. Often, log entries are only made\nwhen he performs the CERT activity himself because he does not receive the\ninformation from other CERT members in a timely manner. For example, he is notified\nof isolated incidents involving malicious code identified by the antivirus software at the\nend of the month, rather than when the incident occurred. BIS management has not\nensured an effective means of communicating and reporting successful malicious code\nbetween team members.\n\nNonconforming and incomplete external reports made to US-CERT restricts their ability\nto perform their mission. The Office of Management and Budget (OMB) has indicated in\nits FY 2005 Report to Congress that \xe2\x80\x9cLess than full reporting hampers the government\xe2\x80\x99s\nability to know whether an incident is isolated at one agency or is part of a larger event,\ne.g., the widespread propagation of an Internet worm.\xe2\x80\x9d5\n\nRecommendations:\n\nWe recommend that the Bureau of Information Services:\n\n    7. \t implement controls to ensure incident reports released to US-CERT are \n\n         complete, accurate, and conform to US-CERT requirements; and \n\n    8. \t implement a system to track and communicate all incidents, including\n         successful malicious code identified by the antivirus software, from discovery to\n         completion and final reporting.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services generally concurs with the findings and has agreed\nto implement controls to ensure complete and accurate incident reports released to\nUS-CERT. However, the Bureau of Information Services is not currently prepared to\nensure those reports fully conform to US-CERT requirements. They have agreed to\nresolve the reporting issues associated with the antivirus software, and to provide for a\nlink between the antivirus administrator and help desk ticketing software to provide\ntimely and documented antivirus responses. When the link is established, the antivirus\n\n5\n \xe2\x80\x9cFY 2005 Report to Congress on Implementation of The Federal Information Security Management Act\nof 2002,\xe2\x80\x9d March 1, 2006.\n\x0cadministrator will be responsible for ensuring the reports are made in conformance to\nUS-CERT requirements.\n\nInternal Computer Security Incident Reporting Is Incomplete\n\nReporting of computer security incidents to RRB management needs improvement. \n\nOur review disclosed discrepancies between incident records and incident reports made \n\ninternally to RRB management, as well as delays in the reporting process. \n\n\nFISMA requires agencies to implement a computer security incident response program \n\nthat includes incident reporting. The RRB CERT is responsible for issuing a formal \n\nreport of major incidents to RRB management. Additionally, the RRB CERT reports the \n\nnumber of incidents in the monthly BIS Administrative Report. The current incident \n\ncategories reported are: \n\n\n   \xe2\x80\xa2   RRB CERT cases opened;\n   \xe2\x80\xa2   phishing attempts;\n   \xe2\x80\xa2   spam emails;\n   \xe2\x80\xa2   successful malicious code; and\n   \xe2\x80\xa2   intrusion detection system events on the public-facing web server.\n\nWe found that the monthly BIS Administrative Reports did not include all instances of\nmalicious code. For example, our interviews with BIS staff disclosed that the most\nprevalent security incident experienced by the RRB is spyware. However, there is no\nseparate category for reporting spyware, and spyware that has not been detected by\nthe antivirus software is not included in the compilation of successful malicious code.\n\nWe also noted that RRB CERT log entries were not made, nor adequate documentation\nretained, for all spyware incidents. Of the eight CERT log entries made during the\nmonths of October through December 2005, five were for malicious code, four of which\ninvolved spyware. Only two of the four spyware cases have adequate supporting\ndocumentation. We also noted that log entries for other types of incidents contained\ninaccurate data when compared with CERT case documentation.\n\nAdditionally, our review of the three months of antivirus logs that were available in FY\n2006 showed that the number of computers infected in October had been miscounted.\nThe BIS Administrative Report over-reported the number of infected systems by four.\nAntivirus logs are made available to the RRB CERT member responsible for preparing\nthe incident reports at the end of each month. Due to the volume of entries on the log\n(both successful and unsuccessful malicious code), errors in counts can easily be\nmade.\n\nThe RRB\xe2\x80\x99s major incident in August 2005 required the preparation of a formal report for\nRRB management. However, as of March 2006, that report has not yet been issued.\nWe were told that the RRB CERT made several recommendations to BIS management,\nand are awaiting a decision on those recommendations. They have chosen to wait\nuntil the decisions are made before issuing the final report to RRB management.\n\x0cAs previously noted, the Chief Security Officer has operational authority over the RRB\nCERT, but provides little or no oversight of RRB CERT activities. Inaccurate,\nincomplete, or delayed internal reporting prevents RRB management from adequately\nassessing the risk involved in RRB programs. Likewise, untimely reports lose their\neffectiveness in notifying higher levels of management of the status and issues\ninvolved.\n\nRecommendations:\n\nWe recommend that the Bureau of Information Services:\n\n      9. \t implement controls to ensure internal reports of incidents are accurate and\n           complete; and\n      10. \t issue reports of major incidents to RRB management as soon as the nature of\n            the incident is known, rather than when recommendations for future actions are\n            implemented.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendations and will adopt\ncontrols specified in NIST SP-800-53. Additionally, the Bureau of Information Services\nagrees to revise their procedures to have final incident reports available to the CIO\nwithin 60 days of incident closure.\n\nCurrent Patch Management Process Is Not Fully Effective In Minimizing Risk\n\nRRB systems continue to be at risk for major security incidents. The OIG has reported\nnumerous times, dating back to July 2001, that the RRB did not have security patches\nand updated service packs installed on their servers. RRB patch installations on\nnetwork servers are generally performed manually over multiple weeks, with automated\ndesktop patches installed thereafter.\n\nNIST Federal Information Processing Standards Publication 200 establishes the NIST\nSP 800-53 as the \xe2\x80\x9cMinimum Security Requirements for Federal Information and\nInformation Systems\xe2\x80\x9d effective March 9, 2006.6 Federal agencies must be in\ncompliance with these standards by March 9, 2007. NIST SP 800-53 requires Federal\nagencies to identify, report, and correct information system flaws by promptly installing\nnewly released security relevant patches, service packs and hot fixes, and testing\nsoftware for effectiveness and potential side effects on the agency\xe2\x80\x99s information\nsystems before installation.\n\nNIST SP 800-53 also requires agencies to develop, disseminate, and periodically\nreview and update formal, documented system and information integrity policies and\nprocedures that address the control area of which flaw remediation is included.\n\n\n6\n    NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems,\xe2\x80\x9d February 2005.\n\x0cThe RRB management has not adopted formal patch management policy and\nprocedures that ensure patches are installed quickly and effectively. Microsoft\nCorporation releases patches on the second Tuesday of each month, and gives\ncustomers advance notice on the Thursday before the patch is released. This notice\nincludes the products that will be patched and the severity of the vulnerabilities\nassociated with the patch. Recent trends show that hackers take advantage of newly\ndisclosed software flaws which compel organizations to implement better processes for\ntesting and installing patches quickly and effectively.\n\nFor example, in August 2005, the RRB experienced a major computer security incident\nwith widespread agency impact. The Microsoft patch for that vulnerability was released\non August 9, 2005. The RRB\xe2\x80\x99s infection occurred during the week of August 14, 2005.\nAgency antivirus logs indicate that the security incident which first occurred in August\nwas still affecting the RRB\xe2\x80\x99s information systems the following November. Yet, other\nFederal agencies claim to have experienced little, if any, impact on their networks\nbecause they tested and implemented the patch from Microsoft in less than three days.\n\nWhile patch installation is no guarantee that a security incident will not occur, a properly\ndesigned, effective patch management program should reduce the risks associated with\nidentified vulnerabilities. Timeliness is a key part of an effective patch management\nprogram.\n\nThe BIS Network Services Group developed the procedures it currently follows after the\nAugust 2005 incident: an undocumented, informal, patch management process based\non \xe2\x80\x9cincreased awareness.\xe2\x80\x9d However, over time, informal procedures can degrade due\nto resource constraints and complacency when the original emergency has passed.\n\nThe BIS Risk Management Group has drafted a patch management policy which\ndelineates, on a priority basis, the devices and timing for patch management. This plan\nallows up to 30 days for completion of action on some patches, depending on the\nassigned priority. No decision has been made regarding whether to adopt this, or a\nmore aggressive policy.\n\nA faster, smoother method of installing patches throughout the RRB should be\nimplemented, utilizing a checklist to ensure all affected systems are appropriately\npatched. Documentation of the patch installation should be maintained to support\nverification of patch completions.\n\nRecommendation:\n\n   11. \t We recommend that the Bureau of Information Services develop and\n         implement a formal policy and procedure addressing patch management.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services has agreed to develop and implement a formal\npatch management policy and procedure.\n\x0cKnown Weaknesses Are Not Included in the RRB\xe2\x80\x99s Plan of Action and Milestones\n\nThe agency\xe2\x80\x99s Plan of Action and Milestones (POAM) does not include previously\nidentified weaknesses in the RRB computer security incident response program.\n\nFISMA requires Federal agencies to maintain a process for planning, implementing,\nevaluating, and documenting remedial action to address any deficiencies in the\ninformation security, policies, procedures, and practices of the agency. The OMB\nrequires agencies to prepare an agency wide POAM incorporating all known information\nsecurity weaknesses associated with information systems used or operated by the\nagency, a contractor of the agency, or any other organization on behalf of the agency.\nOMB also requires the agency to prepare quarterly updates of the progress in\nimplementing remedial actions and identifying problems, and an OIG evaluation of the\nPOAM process.\n\nIn our FY 2005 FISMA report, we stated that the RRB\xe2\x80\x99s POAM was not comprehensive\nwith respect to identified weaknesses, and not driven by internal risk assessments and\ncontrol evaluations. We also reported that the existing plan did not demonstrate\nprioritization of agency plans and efforts to correct information security weaknesses.\nWe recommended that the agency improve its remedial action process to ensure all\nsecurity weaknesses are included in the POAM and ensure that the plan demonstrates\nthe prioritization of agency remediation efforts.7\n\nDuring our FY 2005 FISMA review, we also identified weaknesses in the agency\xe2\x80\x99s\nprocedures for incident response handling and reporting. These weaknesses were\nconveyed to RRB management through the OIG\xe2\x80\x99s OMB FISMA Template Report issued\non October 5, 2005. As of May 31, 2006, the RRB had released two quarterly updates\nof its POAM, neither of which reflects the weakness we identified in the OMB FISMA\nTemplate Report. Prioritization of remedial actions and an adequate assessment of risk\ncannot be achieved without inclusion of all security weaknesses.\n\nThis finding will be considered when we evaluate the RRB\xe2\x80\x99s remedial action process as\npart of the OIG\xe2\x80\x99s FY 2006 FISMA evaluation and reporting process.\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\n\n\n7\n \xe2\x80\x9cFiscal Year 2005 Evaluation of Information Security at the Railroad Retirement Board,\xe2\x80\x9d OIG Report No.\n05-11, September 28, 2005.\n\x0c                                                                                                APPENDIX I\n                          US-CERT Federal Agency Reporting Taxonomy\n                              Federal Agency Incident Categories\n\n CATEGORY              NAME                       DESCRIPTION                 REPORTING TIMEFRAME\nCAT 0           Exercise/Network       This category is used during           Not Applicable; this\n                Defense Testing        state, federal, national,              category is for each\n                                       international exercises and            agency\xe2\x80\x99s internal use\n                                       approved activity testing of           during exercises.\n                                       internal/external network\n                                       defenses or responses.\nCAT 1           Unauthorized           In this category an individual         Within one (1) hour of\n                Access*                gains logical or physical access       discovery/detection.\n                                       without permission to a federal\n                                       agency network, system,\n                                       application, data, or other\n                                       resource.\nCAT 2           Denial of Service      An attack that successfully            Within two (2) hours of\n                (DoS)*                 prevents or impairs the normal         discovery/detection if the\n                                       authorized functionality of            successful attack is still\n                                       networks, systems or applications      ongoing and the agency is\n                                       by exhausting resources. This          unable to successfully\n                                       activity includes being the victim     mitigate activity.\n                                       or participating in the DoS.\nCAT 3           Malicious Code*        Successful installation of             Daily.\n                                       malicious software (i.e., virus,\n                                       worm, spyware, bots, Trojan            Note: Within one (1) hour\n                                       horse, or other code-based             of discovery/detection if\n                                       malicious entity that infects or       widespread across agency.\n                                       affects an operating system or\n                                       application. Agencies are NOT\n                                       required to report malicious logic\n                                       that has been successfully\n                                       quarantined by antivirus software.\nCAT 4           Improper Usage*        A person violates acceptable           Weekly\n                                       computing use policies.\n*Defined by NIST Special Publication 800-61\n\n                                   Federal Agency Event Categories\n\n CATEGORY             NAME                       DESCRIPTION                  REPORTING TIMEFRAME\nCAT 5           Scans/Probes/          This category includes an activity     Monthly.\n                Attempted Access       that seeks to access or identify a\n                                       federal agency computer, open          Note: If system is\n                                       ports, protocols, service, or any      classified, report within one\n                                       combination for later exploit. This    (1) hour of discovery.\n                                       activity does not directly result in\n                                       a compromise or denial of\n                                       service.\nCAT 6           Investigation          Unconfirmed incidents that are         Not Applicable; this\n                                       potentially malicious or               category is for each\n                                       anomalous activity deemed by the       agency\xe2\x80\x99s use to categorize\n                                       reporting entity to warrant further    a potential incident that is\n                                       review.                                currently being\n                                                                              investigated.\n\nThe US-CERT Taxonomy as published on the US-CERT website: www.us-cert.gov.\n\x0c                                                                                      APPENDIX II\n                   RRB CERT MEMBER\xe2\x80\x99S ROLES AND RESPONSIBILITIES\n\n\nChief Information Officer (CIO)\n\nThe CIO is delegated operational responsibility for the protection of the RRB information resources\nand shall approve CERT membership as recommended by the Chief Security Officer (CSO). CIO\nresponsibilities include:\n   \xe2\x80\xa2\t decision authority to disconnect or turn off mission critical systems ;\n   \xe2\x80\xa2\t ensuring the CERT is properly staffed and equipped to perform its functions;\n   \xe2\x80\xa2\t ensuring an appropriate level of protection for all RRB information resources; and\n   \xe2\x80\xa2\t ensuring appropriate measures are in place to protect RRB information technology assets.\n\nChief of Information Resources Management\n\nThe Chief of Information Resources Management is the senior management representative for the\nCERT and coordinates and assists in resolving any incident response issues with other senior\nmanagers in the RRB, including escalating issues to the CIO for action if required. The Information\nResources Management Center includes the Risk Management Group. The Risk Management\nGroup, headed by the CSO, is responsible for providing a standard, systematic, enterprise-wide\nprocess for risk management.\n\nChief Security Officer\n\nThe CSO has operational authority over the CERT and coordinates with managers including the\nCIO and Chief of Information Resources Management. CSO responsibilities include:\n    \xe2\x80\xa2\t ensuring the RRB policy and procedures conform to the requirements of Federal laws and\n       regulations;\n    \xe2\x80\xa2\t promulgates additional policy and procedures as necessary to provide for adequate\n       computer security;\n    \xe2\x80\xa2\t recommends CERT members to the CIO for approval;\n    \xe2\x80\xa2\t translates technical details of incidents into business impact statements for the benefit of\n       senior, non-technical management;\n    \xe2\x80\xa2\t advises the CIO of the potential impact an incident could have on business operations;\n    \xe2\x80\xa2\t ensures that a computer security incident reporting systems is developed, implemented,\n       monitored and evaluated;\n    \xe2\x80\xa2\t evaluates and activates the CERT on suspected security intrusion, incidents or violations\n       reported from the BIS Customer Services Support Group; and\n    \xe2\x80\xa2\t recommends corrective measures and solutions to prevent or resolve computer security\n       related incidents.\n\nLead Investigator (LI)\n\nThe LI is authorized by the CIO to lead the CERT in conducting authorized computer incident\ninvestigations. The LI is normally a member of the CSO\xe2\x80\x99s staff unless criminal involvement is\nsuspected or discovered, in which case the Office of Inspector General\xe2\x80\x99s Office of Investigations\nassumes responsibility. The LI, in cooperation with the CERT, is responsible for responding to\nsuspected or actual incidents in a timely manner. The LI may need to perform highly complex\ntasks, and is expected to have a high level of technical expertise. The LI undergoes\ncomprehensive training in the tools and techniques of incident response and computer forensics.\nLI responsibilities include:\n    \xe2\x80\xa2\t managing and directing the incident response team, including periodic training;\n    \xe2\x80\xa2\t serving as a link between management and the incident response team;\n    \xe2\x80\xa2\t informing the CSO of CERT actions;\n\x0c                                                                                       APPENDIX II\n                    RRB CERT MEMBER\xe2\x80\x99S ROLES AND RESPONSIBILITIES\n\n\n   \xe2\x80\xa2\t   submitting incident reports, both internally and externally;\n   \xe2\x80\xa2\t   maintaining the Computer Security Incident Response Plan procedures;\n   \xe2\x80\xa2\t   selecting and using incident response tools, including a separate forensics workstation; and\n   \xe2\x80\xa2\t   installing, configuring, and using the RRB intrusion detection/prevention tools.\n\nNetwork Engineer (NE)\n\nThe NE plays a pivotal role on the CERT by assisting the LI with specific tasks, including collecting\ndetailed data about the state of an affected system when an incident occurs. Often, the NE is\ninvolved at the earliest stages of an incident and may be the first person to detect when an incident\noccurs. The NE is a staff member of the Network Services Group and is responsible for:\n    \xe2\x80\xa2\t ensuring that RRB system security conform to best practices;\n    \xe2\x80\xa2\t securing RRB systems to prevent intrusions and unauthorized access;\n    \xe2\x80\xa2\t ensuring all RRB general support systems are secured and patched in accordance with\n        RRB policy;\n    \xe2\x80\xa2\t generating and collecting detailed audit logs as prescribed by the LI;\n    \xe2\x80\xa2\t monitoring and validating user account activity;\n    \xe2\x80\xa2\t configuring system security settings in accordance with RRB policy; and\n    \xe2\x80\xa2\t performing administrative functions on key infrastructure components such as domain\n        name systems, network attached storage, email, web, and antivirus servers.\n\nData Communications Engineer (DCE)\n\nThe DCE plays a significant role on the CERT by ensuring that the network devices (routers,\nswitches, firewalls, and virtual private network implementations) are secured. The DCE may be the\nfirst person to recognize a potential incident requiring further investigation. The DCE is a staff\nmember of the Network Services Group and is responsible for:\n\n   \xe2\x80\xa2\t configuring network devices to ensure appropriate level of protection;\n   \xe2\x80\xa2\t securing the RRB internetworking systems to prevent intrusions and unauthorized accesses\n      according to best practices of the profession;\n   \xe2\x80\xa2\t ensuring all RRB network devices are secured and patched in accordance with RRB policy;\n   \xe2\x80\xa2\t enabling and configuring logging on critical network devices;\n   \xe2\x80\xa2\t generating and collecting detailed audit logs as prescribed by the LI;\n   \xe2\x80\xa2\t monitoring network activity for anomalous or suspicious activity; and\n   \xe2\x80\xa2\t coordinating with providers as required by Service Level Agreements.\n\nCustomer and Desktop Support Services Groups (CSSG/DSSG)\n\nThe CSSG/DSSG, within the Network Services Group, is the primary point of contact for all user\ninitiated computer security incident reporting. They are responsible for manning the RRB\xe2\x80\x99s Help\nDesk functions and ensuring individual workstations have been secured and patched in\naccordance with RRB policy. Upon recognition of an incident, the CSSG/DSSG will determine\nwhether the affected system poses a significant security threat to the agency, and if so, takes\nappropriate actions to isolate the affected system(s).\n\x0c                                                                                       APPENDIX II\n                   RRB CERT MEMBER\xe2\x80\x99S ROLES AND RESPONSIBILITIES\n\n\nSystem Security Specialist (SSS)\n\nThe SSS is responsible for all user related account functions and permissions for both the\nmainframe and end user computing systems. The SSS is likely the first person to notice\nquestionable user account activity during routine auditing functions. Other indicators of a computer\nsecurity incident involving the SSS are forwarded by a user who notices a problem with their\naccount. The SSS is also responsible for the internet web filtering application and may detect\nincidents involving unauthorized employee internet activity. The SSS is a staff member of the\nNetwork Services Group.\n\nMainframe Computer Supervisor and Staff (MCSS)\n\nThe MCSS is the primary technical point of contact for all mainframe related security issues. Their\nexpertise and support is critical in determining if the mainframe or data has been compromised\nduring a computer security incident, specifically in those incidents when the mainframe is\nsuspected of being the primary target. The mainframe system is the RRB\xe2\x80\x99s principal and critical\nline of business system.\n\nDatabase Administrator (DA)\n\nThe DA is the primary technical point of contact for all database related issues, regardless of what\nplatform the data resides on (mainframe or end-user computing). The DA has the technical\nexpertise to help identify if an RRB database has been compromised, and if so, can provide a\ndamage assessment and recommended corrective actions.\n\nWeb Administrator (WA)\n\nThe WA is responsible for all internet and intranet applications and proper hosting and access to\nRRB websites, both internal and external. The WA provides the coordination linkage with the E-\nGovernment developers, as well as with the contracted web hosting vendor.\n\nVarious Intra-agency Line-of-Business Staff\n\nEach major application has been appointed an Information System Security Officer and Line of\nBusiness manager who are responsible for providing technical and business impact support to the\nCERT effort as needed.\n\x0c                                                                                            APPENDIX III \n\n                                              GLOSSARY\n\n\n\nAntivirus Software: A program that monitors a computer or network to identify all major types of\nmalware and prevent or contain malware incidents.\n\nFirewall: A program that protects a computer or network from other networks by limiting and\nmonitoring network communications.\n\nHot fix: Microsoft\xe2\x80\x99s term for a security patch.\n\nIntrusion Detection System (IDS): Software that looks for suspicious activity and alerts\nadministrators.\n\nIntrusion Prevention System: A program that performs packet sniffing and analyzes network\ntraffic to identify and stop suspicious activity. Intrusion Prevention Systems may also be host-\nbased.\n\nMalicious code: A virus, worm, Trojan horse, or other code-based entity that infects a host.\n\nMalware: A program that is inserted into a system, usually covertly, with the intent of\ncompromising the confidentiality, integrity, or availability of the victim\xe2\x80\x99s data, applications, or\noperating system or of otherwise annoying or disrupting the victim.\n\nPatch: An additional piece of code developed to address a problem in an existing piece of\nsoftware.\n\nPatch Management: The process of acquiring, testing, and distributing patches to the appropriate\nadministrators and users throughout the organization.\n\nPhishing: Tricking individuals into disclosing sensitive personal information through deceptive\ncomputer-based means.\n\nQuarantining: Storing files containing malware in isolation for future disinfection or examination.\n\nRouter: A hardware device that allows data to be exchanged between networks. Routers are\nsimilar to bridges, but provide additional functionality, such as the ability to filter messages and\nforward them to different places based on various criteria.\n\nService pack: A method for conveniently bundling existing updates for a product. The bundle\ncontains new features and enhancements in order to improve security, reliability and to improve\nadministration.\n\nSpam: To indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages,\nespecially commercial advertising in mass quantities. Noun: electronic "junk mail".\n\nSpyware: Stand-alone programs that can secretly monitor system activity and detect passwords\nand other confidential information and relay it back to another computer.\n\nSwitch: In networks, a device that filters and forwards packets between LAN segments. Switches\nsupport any packet protocol.\n\nThreat: Any circumstance or event, deliberate or unintentional, with the potential for causing harm\nto a system.\n\x0c                                                                                          APPENDIX III \n\n                                             GLOSSARY\n\n\n\nTrojan horse: A nonself-replicating program that seems to have a useful purpose, but in reality\nhas a different, malicious purpose.\n\nVirus: A program designed with malicious intent that has the ability to spread to multiple\ncomputers or programs. Most viruses have a trigger mechanism that defines the conditions under\nwhich it will spread and deliver a malicious payload of some type. Some viruses specifically\ndamage data by corrupting programs, deleting files, or reformatting disks.\n\nVirus Definition Files: Files that contain sample code for thousands of threats. When antivirus\nsoftware scans a computer, it attempts to find matches between the computer\xe2\x80\x99s files and the\nsample code inside the virus definition file. When a match is found, it is an indication that the file\nhas been infected.\n\nVPN (Virtual Private Network): A network where packets that are internal to a private network\npass across a public network. In a secure VPN, traffic is encrypted, integrity protected and\nencapsulated into new packets that are sent across the Internet.\n\nVulnerability: A weakness in a system, application, or network that is subject to exploitation or\nmisuse.\n\nWorm: A type of malicious code particular to networked computers. It is a self-replicating program\nthat works its way through a computer network exploiting vulnerable hosts, replicating and causing\nwhatever damage it was programmed to do.\n\x0c\x0c\x0c\x0c'